GAO sees threats to industrial systems

Risks to industrial computer-based systems that control vital critical infrastructures, such as electrical grids, oil refining and pipelines, and water treatment and distribution, are increasing and could have devastating consequences, according to a General Accounting Office report released today.

But an official with the Homeland Security Department said the government is assessing vulnerabilities at such critical infrastructures and working toward shoring up those gaps.

In addition to increasing cyber threats, the GAO cited four factors contributing to the problem:

* With the growing adoption of standardized technologies, such as Microsoft Corp.'s Windows and Unix-like operating systems, there is also the risk of exploitation of known vulnerabilities in those technologies.

* Further vulnerabilities are created as such control systems — often referred to as Supervisory Control and Data Acquisition, or SCADA — are connected to other networks and the Internet.

* Insecure connections, such as dial-up modems or wireless, without use of authentication or encryption can jeopardize the data flow.

* Information about such control systems and infrastructures are widely available to the public though industry and government publications, maps and other materials and documents through the Internet.

"Control systems can be vulnerable to a variety of attacks that could have devastating consequences, such as endangering public health and safety, damaging the environment, or causing a loss of production, generation, or distribution of public utilities," said Robert Dacey, GAO's director of information security issues. "Control systems have already been subject to a number of cyberattacks, including documented attacks on a sewage treatment system in Australia in 1999 and, more recently, on a nuclear power plant in Ohio."

Dacey and others testified today before the House Government Reform Committee's Technology Information Policy, Intergovernmental Relations and the Census Subcommittee.

"It had never occurred to me that the potential threat from a computer somewhere half way around the world might exceed the harm that could be perpetrated by Mother Nature," said Rep. Adam Putnam (R-Fla.), the subcommittee's chairman. "I have learned that today's SCADA systems have been designed with little or no attention to computer security."

GAO officials recommended better coordination among the public and private sectors, better research and development of new security technologies, development of security standards, implementation of effective security management programs and better information sharing.

James McDonnell, director of DHS' Protective Security Division, which is part of the Information Analysis and Infrastructure Protection Directorate, said his group has identified 1,700 facilities that are targeted for security improvement.

"Of those sites, we have identified roughly 565 with process control systems," he said. "As appropriate, reduction in SCADA vulnerabilities will be undertaken just as reductions in physical vulnerabilities are."